Bugzilla – Bug 1194866
VUL-0: python-onionshare: multiple CVEs fixed with 2.5
Last modified: 2022-05-02 10:15:30 UTC
Out-of-bounds Read: The desktop application was found to be vulnerable to denial of service via an undisclosed vulnerability in the QT image parsing
Improper Input Sanitation: The path parameter of the requested URL is not sanitized before being passed to the QT frontend
Denial of Service: The receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script
Improper Access Control: Chat participants can spoof their channel leave message, tricking others into assuming they left the chatroom
Improper Access Control: Anyone with access to the chat environment can write messages disguised as another chat participant
Improper Hardening: The filesystem restriction could be hardened and should only allow for pre-defined subfolders
Improper Access Control: Authenticated users (or unauthenticated in public mode) can send messages without being visible in the list of chat participants
Broken Website Hardening Control: The CSP can be turned on or off but not configured for the specific needs of the website
Improper Input Sanitation: It is possible to change the username to that of another chat participant with an additional space character at the end of the name string
@Alex: I saw you are not the bugowner, if you want to re-assign the bug to someone else please go ahead.
(In reply to Robert Frohl from comment #1)
> I saw you are not the bugowner, if you want to re-assign the bug to
> someone else please go ahead.
I dont mind adding some more bug owner to this. Whom do you suggest?
BTW, there is a to-do for the maintenance team open on onionshare - see boo#1191311
(In reply to Axel Braun from comment #2)
> Hello Robert,
> (In reply to Robert Frohl from comment #1)
> > @Alex:
Sorry about that, should have payed better attention :(
> > I saw you are not the bugowner, if you want to re-assign the bug to
> > someone else please go ahead.
> I dont mind adding some more bug owner to this. Whom do you suggest?
I will see if someone is interested.
> BTW, there is a to-do for the maintenance team open on onionshare - see
I think this is in a dead lock at the moment. These dependency updates are hard to change.
(In reply to Robert Frohl from comment #3)
> (In reply to Axel Braun from comment #2)
> > > I saw you are not the bugowner, if you want to re-assign the bug to
> > > someone else please go ahead.
> > I dont mind adding some more bug owner to this. Whom do you suggest?
> I will see if someone is interested.
Thomas would be interested to help out with python-onionshare. He is new with SUSE and is looking to gain some experience with package maintenance. If you agree we can add him as a maintainer/bugowner.
I would also show him how to do a version bump for this issue if you agree and show him how the general process works.
yes, please continue, and welcome Thomas!
I did an upgrade in https://build.opensuse.org/package/show/home:DocB:branches:devel:languages:python/python-onionshare
but still struggeling with failed tests.
Thomas is more than welcome to look into this
(In reply to Axel Braun from comment #5)
> Hi Robert,
> yes, please continue, and welcome Thomas!
> I did an upgrade in
> but still struggeling with failed tests.
> Thomas is more than welcome to look into this
ok, we will also go through the whole normal process together and try to fix the build.
Any update here?
https://build.opensuse.org/request/show/957507 should fix this
Except it depends on python-cepa, which is quite problematic.
If somebody wants to recover this mess (either porting python-onionshare to using python-stem, or fixing python-cepa to be acceptable for openSUSE), then she is very welcome.
This is an autogenerated message for OBS integration:
This bug (1194866) was mentioned in
https://build.opensuse.org/request/show/967749 Factory / python-onionshare
version 2.5 is in TW - for Leap I do not expect an update, as Python 3.6 is not supported any more